Chris Hoofnagle HOW the FAIR CREDIT REPORTING ACT REGULATES BIG DATA

From: Chris Jay Hoofnagle To: Privacyrfc2014 Subject: Comments on PCAST Report Date: Monday, August 04, 2014 9:46:18 PM Attachments: LEGAL-Hoofnagle-How-FCRA-Regulates-Big-Data.pdf ATT00001..htm

Dear NTIA,

I submit the attached paper that responds to several of the questions raised in your request for comments concerning the PCAST report.

My comment focuses on problems in use regulation approaches in privacy law. Generally speaking, use regulations are very difficult to enforce. I can say this from years in experience in being involved in consumer privacy lawsuits concerning data practices. First, companies often do not have access controls and cannot even identify the employees who had access to customer data. Thus, they cannot even tell how data were used.

Second, once data is in the possession of a company, it can raise first amendment defenses to use regulations. These defenses would not apply to collection limitation rules. Thus, use regulations would always have to satisfy at least intermediate scrutiny.

Third, the PCAST report introduces a new loophole to use regulations: “analysis” is not considered a use. This introduces a new defense, creating a new hurdle for wronged consumers who are trying to protect their privacy rights. It also makes little sense because citizens would be offended by many kinds of analysis that is not implemented as a use. For instance, Edward Snowden alleged that NSA employees were passing around sexually-explicit pictures of individuals that were captured by the agency. Was this a use or an analysis? If it is just an analysis because the data were not used to make an agency decision, does that lessen the privacy invasion?

Finally, the attached paper discusses what use regulations have meant for the citizen in the context of credit reporting. The FCRA, a use based regime, has on one hand enabled a vigorous market for credit, but on the other, has created a largely unaccountable and unresponsive industry. The PCAST report does not explain how its framework will improve upon the pathologies of the FCRA. Also, many of the industry-sponsored studies supporting use regulations omit any discussion of FCRA.

Big data has been with us since at least the 1960s. Today, when people talk about big data, they really mean the idea that the tools for large-scale data analysis have been democratized. This means that individuals with little statistical sophistication can engage in analysis today that years ago required training in a proprietary statistical program. So we have a democratization of powerful tools, in the hands of some who do not understand them, and a proposal to just let them collect whatever they want and let loose with whatever “analysis” they can produce. What could possibly go wrong?

Respectfully submitted, Chris Hoofnagle HOW THE FAIR CREDIT REPORTING ACT REGULATES BIG DATA

Chris Jay Hoofnagle

INTRODUCTION

This short essay makes two observations concerning "big data." First, big data is not new. Consumer reporting, a field where information about individuals is aggregated and used to assess credit, tenancy, and employment risks, achieved the status of big data in the 1960s. Second, the Fair Credit Reporting Act of 1970 (FCRA) provides rich lessons concerning possible regulatory approaches for big data.

Some say that "big data" requires policymakers to rethink the very nature of privacy laws. They urge policymakers to shift to an approach where governance focuses upon "the usage of data rather than the data itself."1 Consumer reporting shows us that while use-based regulations of big data provided more transparency and due process, they did not create adequate accountability. Indeed, despite the interventions of the FCRA, consumer reporting agencies (CRAs) remain notoriously unresponsive and unaccountable bureaucracies.

Like today's big data firms, CRAs lacked a direct relationship with the consumer, and this led to a set of predictable pathologies and externalities. CRAs have used messy data and fuzzy logic in ways that produce error costly to consumers. CRAs play a central role in both preventing and causing identity fraud, and have turned this problem into a business opportunity in the form of credit monitoring. Despite the legislative bargain created by the FCRA, which insulated CRAs from defamation suits, CRAs have argued that use restrictions are unconstitutional.

Big data is said to represent a powerful set of technologies. Yet, proposals for its regulation are weaker than the FCRA. Calls for a pure use- based regulatory regime, especially for companies lacking the discipline imposed by a consumer relationship, should be viewed with skepticism.

1 WORLD ECONOMIC FORUM, UNLOCKING THE VALUE OF PERSONAL DATA: FROM COLLECTION TO USAGE 4 (Feb. 2013), available at http://www3.weforum.org/docs/WEF_IT_UnlockingValuePersonalData_CollectionUsage_ Report_2013.pdf. 2 HOW THE FCRA REGULATES BIG DATA

ORIGINS

Consumer reporting is over a century old.2 Starting with local efforts to share information about credit risks, consumer reporting agencies began operating regionally in the 1950s and 1960s. Even then, consumer reporting would certainly qualify under any definition of "big data." The volume of data and the increasingly nationwide operations of CRAs necessitated a move from paper records to computers. Computing also enabled deeper analysis of credit risks, enabled the emergence of credit scoring, and created business models around fine-tuned credit offers, extending even into the subprime market.

Consumer reporting is essential to a modern economy. Consumer reporting can reduce credit discrimination, by focusing lenders' attention away from moral considerations to more objective financial risk factors. It reduces transaction costs for consumers, who can shop around for credit without having to establish a deep relationship with each potential creditor.

At the same time, such reporting must be performed fairly for all to enjoy the benefits of credit. Prior to the passage of the FCRA, Robert Ellis Smith recounts that CRAs collected information about sexual orientation, couples that lived out of wedlock, alcohol-consumption habits, and rumors of encounters with the police. Investigators even fabricated derogatory information about individuals.3 Congress recognized that absent a direct relationship with consumers, CRAs had inadequate incentives to treat individuals fairly. A primary purpose thus of the FCRA was to end the collection of "irrelevant" information.4

The FCRA is a complex statute that has been amended multiple times. Its primary provisions concern "permissible uses" of consumer credit information, requirements that data be verifiable, and access and correction rights. By complying with these safeguards, CRAs were shielded from defamation suits.

2 rd Evan Hendricks, CREDIT SCORES & CREDIT REPORTS 183 (Privacy Times 2007, 3 Ed.). 3 Robert Ellis Smith, BEN FRANKLIN'S WEB SITE, PRIVACY AND CURIOSITY FROM PLYMOUTH ROCK TO THE INTERNET 317 (Privacy Journal 2004). 4 Anthony Rodriguez, Carolyn L. Carter & William P. Ogburn, FAIR CREDIT th REPORTING 10 (NCLC Press 2002, 5 ed.). HOW THE FCRA REGULATES BIG DATA 3 A. Permissible Uses of Consumer Reports

The FCRA's primary regulation comes in the form of "permissible" uses of consumer reports. 15 USC § 1681b specifies a range of uses, including for issuing credit, evaluating a prospective employee, underwriting an insurance policy, and a catch all "legitimate business purpose" exception for transactions initiated by the consumer. Non-enumerated uses are impermissible, thus the FCRA essentially whitelists the scope of permissible uses of data. The FCRA approach is thus very different from proposals for big data, which lean towards permitting any kind of analysis using data, and instead limiting certain decision making from analyses.

B. Maximum Possible Accuracy: A Form of Collection Limitation

In preparing a consumer report, a CRA must, "follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates."5 This standard presumably becomes more stringent with time, as data collection and reporting systems improve. It is also supplemented with the duty of a CRA to verify disputed information, and in cases where data are "inaccurate or incomplete or cannot be verified," the CRA must promptly delete the disputed item.6

In effect, the interplay between maximum possible accuracy and the duty to verify and delete embeds a collection limitation rule in the FCRA. As noted above, prior to passage of the FCRA, embarrassing and irrelevant derogatory information was collected or fabricated by investigators. After passage of the FCRA, consumer reporting agencies were more restrained in collecting irrelevant information, because this information inherently cannot be verified. The requirement shifted consumer reporting agencies focus to verifiable credit-related information.7

C. Transparency and Correction Provisions

Consumers are probably most familiar with the FCRA's transparency provisions, which entitle individuals to obtain a free copy of their consumer report from each nationwide agency once a year. Additionally, consumers

5 15 USC 1681e (2013) 6 15 USC 1681i (a)(5)(A) (2013). 7 Mark Furletti, An Overview and History of Credit Reporting, Federal Reserve Bank of Philadelphia Payment Cards Center Discussion Paper No. 02-07, June 2002, available at http://ssrn.com/abstract=927487. 4 HOW THE FCRA REGULATES BIG DATA have the right to dispute errors on reports; this requires CRAs to conduct a "reasonable" investigation into the disputed item or delete it within thirty days.

ACCOUNTABILITY AND THE FCRA

Despite the duties imposed by the FCRA, the accountability of CRAs to data subjects may charitably be described as problematic. Gone are the days where CRAs reported on couples living in various states of sin. But freed from the discipline created by the threat of defamation liability, and freed from limits upon collection of data, CRA's incentives are to minimize the costs associated with user rights to access and correction or to turn them into profit centers. For instance, after Congress imposed the responsibility to provide free consumer reports, Experian drew consumers away from the free service (annualcreditreport.com) by operating a misleadingly named site (freecreditreport.com) that sold expensive credit monitoring.8

The consumer reporting agencies are frequent targets of consumer suits (Westlaw produces over 1,400 suits with CRAs' names in case captions), but the systematic lack of accountability is summarized well by the following survey of Federal Trade Commission litigation against these companies.

A. Unanswered Phones

On the most basic level, it is notoriously difficult to interact with CRAs. The FTC sued all three major CRAs in 2000 because they did not answer their phones and when they did, some consumers were placed on unreasonably long holds. According to the FTC complaints, over one million calls to Experian and Trans Union went unanswered; Equifax neglected "hundreds of thousands of calls."9 The companies paid fines and agreed to auditing to ensure adequate call availability. But a year later, Equifax paid additional fines for not answering phone calls.

8 FEDERAL TRADE COMMISSION, MARKETER OF “FREE CREDIT REPORTS” SETTLES FTC CHARGES, "FREE" REPORTS TIED TO PURCHASE OF OTHER PRODUCTS; COMPANY TO PROVIDE REFUNDS TO CONSUMERS, Aug. 15, 2005, available at http://www.ftc.gov/opa/2005/08/consumerinfo.shtm 9 U.S. v. Experian Information Solutions, Inc., 3-00CV0056-L (N.D. Tx. 2000)(citing complaint), available at http://www.ftc.gov/os/caselist/ca300cv0056l.shtm; U.S. v. Equifax Credit Information Services, Inc. 1:00-CV-0087 (N.D. Ga. 2000)(citing complaint), available at http://www.ftc.gov/os/caselist/9923016.shtm; U.S. v Trans Union LLC, 00-C- 0235 (ND Il. 2000)(citing complaint), available at http://www.ftc.gov/os/caselist/00c0235.shtm. HOW THE FCRA REGULATES BIG DATA 5

B. A First Amendment Right to Ignore Use Restrictions

More fundamentally, CRAs have flouted the use restrictions imposed by the FCRA. Equifax recently settled a FTC case alleging that the company sold data in violation of use restrictions to a company that resold the data to "third parties that then used it to market products to consumers in financial distress, including companies that have been the subject of law enforcement investigations."10

Even more problematic and relevant to the current debate surrounding big data is the rationale for violating use restrictions—the first amendment. For instance, Trans Union was unwilling to follow use restrictions upon its data, and sold it to create target marketing lists. The company challenged use restrictions as an impingement upon its first amendment rights.11

C. Inaccuracy

Big data enthusiasts have argued that companies should embrace "messy" data;12 that errors in databases actually help enhance knowledge discovery.13 In the consumer reporting context, fuzzy matching and errors have nearly wrecked individuals' lives. One well-known anecdote concerns Judy Thomas, who sued Trans Union for regularly mixing her report with a Judith Upton. As FCRA expert Evan Hendricks explained, "Upton's Social Security number was only one digit different than Thomas' SSN. That, combined with three common letters in the first name, was sufficient to cause a regular merging of the two women's credit histories."14

But this problem is not just anecdotal; it is structural. In a landmark and

10 FTC SETTLEMENTS REQUIRE EQUIFAX TO FORFEIT MONEY MADE BY ALLEGEDLY IMPROPERLY SELLING INFORMATION ABOUT MILLIONS OF CONSUMERS WHO WERE LATE ON THEIR MORTGAGES, IN SEPARATE ACTIONS, EQUIFAX AND ITS CUSTOMERS WILL PAY A TOTAL OF $1.6 MILLION, FEDERAL TRADE COMMISSION, Oct. 10, 2012, available at http://www.ftc.gov/opa/2012/10/equifaxdirect.shtm. 11 Trans Union LLC v. Federal Trade Commission, 536 U.S. 915 (2002)(J. Kennedy dissenting from denial of certiori). 12 Viktor Mayer-Schonberger & Kenneth Cukier, BIG DATA: A REVOLUTION THAT WILL TRANSFORM HOW WE LIVE, WORK, AND THINK (Eamon Dolan/Houghton Mifflin Harcourt 2013). 13 Jeff Jonas, Big Data. New Physics, Nov. 18, 2010, available at http://jeffjonas.typepad.com/jeff_jonas/2010/11/big-data-new-physics.html 14 Evan Hendricks, Oregon Jury, D.C. Circuit Continue Trans Union's Losing Streak, 22 Privacy Times 15 (Aug. 5, 2002), available at http://www.privacytimes.com/buttons/b3_FCRA.htm. 6 HOW THE FCRA REGULATES BIG DATA labor intensive study, academics working in conjunction with the FTC studied almost 3,000 credit reports belonging to 1,000 consumers and found that 26 percent had "material" errors—problems serious enough to affect the consumers' credit scores.15 Under the most conservative definition of error, this means that 23 million Americans have material errors on a consumer report. These errors matter: five percent of the study participants had errors that once corrected, improved their credit score such that they could obtain credit at a lower price.

D. The Externality of Identity Theft

The sine qua non of identity theft is the release of a consumer's report, through the trickery of an impostor. While most identity theft narratives frame this as the wrongdoing of a particular bad actor, a more nuanced look surfaces business incentives that fuel the problem.16 Simply put, CRAs forgo revenue when they tighten security and sell fewer reports. The lost time and money paid out of pocket to resolve identity theft are externalities imposed upon consumers by CRAs and creditor grantors incentives. CRAs have capitalized on this problem by selling credit monitoring.

CONCLUSION

Big data enthusiasts argue that data collection rules are antiquated and that future business models should be bound mainly by use restrictions. These arguments ignore our history with FCRA, with its decades-old application of use restrictions to big data. In the FCRA context, use based approaches produced systemic unaccountability, errors that cause people financial harm, and business externalities passed off as crimes.

Like modern big data firms, consumers have no direct relationship with CRAs and no ability to limit CRAs' collection of data. Such a structure gives the individual no exit from odious practices and inadequate accountability.

15 FEDERAL TRADE COMMISSION, REPORT TO CONGRESS UNDER SECTION 319 OF THE FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003 (Dec. 2012), available at http://www.ftc.gov/os/2013/02/130211factareport.pdf. 16 Chris Jay Hoofnagle, Internalizing Identity Theft, 13 UCLA J. L. & Tech. 1 (2009), available at http://ssrn.com/abstract=1585564